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DETAILED ACTION 

Response to Amendment 

1 . This action is responsive to communications: application, filed 12/01/2003; 
amendment filed 12/23/2008. 

2. Claims 2-1 1 , 13-34, 36, 38, 39, 41 and 43 are pending in application. Claims 2, 
34, 36, 38 and 39 are amended and claims 1,12, 35, 37, 40 and 42 are canceled. 

3. The text of those sections of Title 35, U.S. Code not included in this action can 
be found in a prior Office action. 



Response to Arguments 

4. Applicant's arguments filed 12/23/2008 have been fully considered but they are 
not persuasive. 

5. Applicants contend that the switch 310 and access system 300 of Toh are not 
analogous to the recited client/server arrangement of the independent claim. Even if the 
switch 310 and access system 300 could be considered to be equivalent to a 
client/server environment, the switch 310 would clearly correspond to a server, not a 
client. 

6. The Examiner respectfully disagrees. Client/server terminologies are merely 
used to distinguish between the two end-points in a communication system. In the 
rejection, it has been shown that there are corresponding endpoints that teach the 
limitations of the Applicant's client and server. Also, Toh discloses "the application 
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proxies 1000 can be client based or server based," par. [0085]. Thus, Toh discloses the 
application can be client based or server based. 

7. Applicants further contend that Medvinsky doesn't disclose the authenticating 
system is "a client of the authenticated server"; Applicant submits that, regardless of 
whether the third party authentication service is considered a client of the authenticating 
server, the authentication of the ticket from the client is done by the server and, to the 
1 extent the third party authentication service is used, it is either analogous to the server 
or, more accurately, is just a resource used by the server to authenticate the ticket from 
the client. The Examiner respectfully disagrees. Medvinsky discloses a client and server 
see fig. 2. In the rejection, it has been shown that there are corresponding endpoints 
that teach the limitations of the Applicant's client and server. "Clients" and "servers" are 
merely terminologies to distinguish between the two end-points in a communication 
system. Therefore, applicants' arguments are not persuasive. 



Claim Rejections - 35 USC § 103 

8. Claims 2-5, 7-1 0,13,14 1 6-25, 27-34, 36, 38, 39, 41 , 43 are rejected under 35 
U.S.C. 103(a) as being unpatentable over Toh et al. (US 2002/0019932) hereinafter Toh 
in view of Medvinsky (US 2002/0146132). 

9. With respect to claim 2, Toh discloses a method of rekeying (provide... a different 
public key from a different private-public key pair, par. [0064]) in an authentication 
system (fig. 1) including an authenticated data processing system (access system 300, 
fig. 6) and an authenticating data processing system (switch system 310, fig. 6), 
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comprising the following carried out by the authenticating data processing system: 
detecting failure (switch system 310 returns 650B an acknowledgement that the 
authentication failed, par. [0064] and fig. 6) of an authentication of the authenticated 
data processing system with a current public key associated with the authenticated data 
processing system (authenticating the first access system using the public key 
associated with the first access key, claim 1); and updating the current public key 
associated with the authenticated data processing system with an updated public key 
responsive to detecting failure of an authentication of the authenticated data processing 
system with the current public key (As a result of the failed authentication. ..provide the 
switch system with a different public key from a different private-public key pair (redo 
steps 500 and 505, fig. 5), par. [0064]). Toh doesn't disclose automatically updating the 
current public key. However, Medvinsky teaches such a feature (The client is able to 
automatically request a new ticket from a key distribution center in response to a 
successful authentication of the error message, see abstract and par. [0014]). 
10. Medvinsky also discloses the authentication system comprises a server-side 
authentication system (As an example, if a client wishes to access an application 
server, a third party authentication service can validate the client, par. [0003]), the 
authenticated data processing system comprises an authenticated server (the server 
initially pre-register with the third party authentication service, par. [0003]) and the 
authenticating data processing system comprises a client of the authenticated server 
(the client and the server initially pre-register, par. [0003]), and wherein detecting failure 
comprises the client detecting failure of an authentication of the authenticated server 
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with a current public key associated with the authenticated server (error message ... 
sent back to the client, par. [0041] and fig. 2); and wherein automatically updating 
comprises automatically updating the current public key associated with the 
authenticated server with an updated public key responsive to detecting failure of an 
authentication of the authenticated server with the current public key (this error causes 
the client to request a new ticket... with the currently valid service, version V+1, par. 
[0043] and fig. 2). 

11. It would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to modify Toh by automatic key updating capability as 
taught in Medvinsky to enable client to automatically recover and be successfully 
authenticated by the authentication system. 

12. With respect to claim 3, Toh discloses detecting failure of an authentication of the 
authenticated server comprises: receiving a signed certificate from the authenticated 
server; and failing to verify the signed certificate with the current public key (as a result 
of the failed authentication ... provide the switch system with a different public key from 
a different private-public key pair (redo steps 500 and 505, fig. 5), par. [0064]). 

13. With respect to claim 4, Medvinsky discloses automatically updating the current 
public key associated with the authenticated server comprises: establishing a 
connection to an authentication server (fig. 2, item 104); requesting the updated public 
key from the authentication server over the established connection (Service key update, 
item 205, fig. 2); receiving the updated public key over the established connection 
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(return a new ticket, item 213, fig. 2); and replacing the current public key at the client 
with the received updated public key (fig. 2). 

14. With respect to claim 5, Toh discloses establishing a connection to the 
authentication server comprises establishing a secure connection to the authentication 
server (a secure connection enabled application, abstract and par. [0012]). 

1 5. With respect to claim 7, Toh discloses the authenticated server and the 
authentication server comprise a single server (securely transmitting data via a single 
node (310), par. [0013]). 

16. With respect to claim 8, Medvinsky discloses requesting the updated public key 
from the authentication server comprises sending a request for an updated public key to 
the authentication server, the request including an identification of the current public key 
(fig- 2). 

1 7. With respect to claim 9, Toh discloses the identification of the current public key 
comprises a checksum of the current public key (data file 601 could be hashed, par. 
[0065] and par. [0033]). 

18. With respect to claim 10, Toh discloses receiving the updated public key 
comprises: receiving the updated public key signed with a private key corresponding to 
the current public key; and verifying a signature of the received signed updated public 
key with the current public key (As a result of the failed authentication... provide the 
switch system with a different public key from a different private-public key pair (redo 
steps 500 and 505, fig. 5), par. [0064). 
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19. The subject-matter of independent claims 13, 27, 34, 36 and 38 corresponds to 
subject-matter of claim 1 . Therefore, claims 13, 27, 34, 36 and 38 are rejected on the 
same rationale as to claim 1 . 

20. Claims 14, 16 and 17 correspond to claims 5, 8 and 9; therefore, claims 14, 16 
and 17 are rejected on the same rationale as above. 

21 . With respect to claim 18, Medvinsky discloses validating the client as authorized 
to request an updated public key based on the identification of the current public key of 
the client (authentication service can validate the client's identity to determine whether 
the client is authorized to access the application server, par. [0003]). 

22. With respect to claim 19, Toh discloses selecting a private key from a repository 
of public/private key pairs based on the identification of the current public key (par. 
[0029]); and wherein providing the updated public key further comprises: signing the 
updated public key utilizing the selected private key (the sender has digitally signed the 
data, par. [0030]); and sending the signed updated public key to the client over the 
secure connection (a secure connection module 403, par. [0037]). 

23. With respect to claim 20, Toh discloses storing the current public/private key pair 
of the server in a key repository (the key module 401 stores or otherwise accesses a 
private-public key pair of the user of an access system, par. [0040]). 

24. With respect to claim 21 , Toh discloses signing an authentication certificate of 
the server with the updated private key (The key module 401 can make the public key 
available to the switch system 310 by sending the public key or a digital certificate to the 
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switch system 310 or publishing the key or the certificate to a generally accessible 
public key database or directory 415, par. [0042]). 

25. With respect to claim 22, Medvinsky discloses automatically requesting updating 
of the current public key of the client associated with the server with an updated public 
key responsive to detecting failure of an authentication of the server with the current 
public key (system for seamlessly updating service key with automatic recovery, title). 

26. Claims 23-25 correspond to claims 3, 9 and 10; therefore, claims 23-25 are 
rejected on the same rationale as above. 

27. With respect to claim 28, Toh discloses a key repository operably associated with 
the authentication server, the key repository being configured to store previous 
public/private key pairs associated with the authenticated server (Key Module (41 1) and 
storage area (416), fig. 4). 

28. With respect to claim 29, Toh discloses the authentication server is further 
configured to select a public/private key pair from the key repository corresponding to a 
current public key of the first client from which a request was received and sign the 
updated public key with a private key of the selected public/private key pair (par. [0063] 
and Fig. 4). 

29. With respect to claim 30, Toh discloses the first client is further configured to 
receive the updated public key from the authentication server and to verify a signature 
of the received updated public key with the current public key of the first client (As a 
result of the failed authentication... provide the switch system with a different public key 
from a different private-public key pair (redo steps 500 and 505, fig. 5), par. [0064). 
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30. With respect to claim 31 , Toh discloses a second client (a second access system 
320, par. [0035]) configured to detect failure of the second client to authenticate an 
authenticated server and automatically request an updated public key associated with 
the authenticated server for which authentication failure was detected; and wherein the 
authentication server is further configured to receive requests for updated public keys 
from the second client and send updated public keys to the second client (As a result of 
the failed authentication... provide the switch system with a different public key from a 
different private-public key pair (redo steps 500 and 505, fig. 5), par. [0064). 

31 . With respect to claim 32, Toh discloses the authentication server is further 
configured to select a public/private key pair from the key repository corresponding to a 
current public key of the first client from which the request was received and sign the 
updated public key with a private key of the selected public/private key pair and to 
select a public/private key pair from the key repository corresponding to a current public 
key of the second client from which the request was received and sign the updated 
public key with a private key of the selected public/private key pair (Using access 
system 300 as an example, the key module 401 stores or otherwise accesses a private- 
public key pair of the user of an access system. The key module 401 can also be 
configured to store or access multiple key pairs of a single or of multiple users, par. 
[0040]. 

32. With respect to claim 33, Toh discloses the selected public/private key pair from 
the key repository corresponding to a current public key of the second client and the 
selected public/private key pair from the key repository corresponding to a current public 
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key of the first client are different public/private key pairs (Using access system 300 as 
an example, the key module 401 stores or otherwise accesses a private-public key pair 
of the user of an access system, par. [0040]). 

33. With respect to claim 39, Toh discloses the authenticated communication 
comprises a signed certificate, the authenticating data processing system comprises a 
client and the source of the authenticated communication comprises a server (The key 
module 401 can make the public key available to the switch system 310 by sending the 
public key or a digital certificate to the switch system 310 or publishing the key or the 
certificate to a generally accessible public key database or directory 415, par. [0042]). 

34. With respect to claim 41 , Toh discloses the authenticated communication 
comprises an e-mail message, wherein the authenticating data processing system 
comprises a mail recipient and the source of the authenticated communication 
comprises a source of the e-mail message (An example of an application proxy includes 
an email application proxy that redirects all outgoing SMTP (Simple Mail Transfer 
Protocol) traffic to the switch system 310 for delivery, and then translates all incoming 
traffic from the switch system 310 prior to it being routed to internal email). 

35. With respect o claim 43, Toh discloses the source of the e-mail message 
comprises an e-mail server (par. [0083]). 

36. Claims 6, 1 5, 1 1 and 26 are rejected under 35 U.S.C. 1 03(a) as being 
unpatentable over Toh et al. (US 2002/0019932) hereinafter Toh in view of Medvinsky 
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(US 2002/0146132) and further in view of Smith et al. (US 6, 532,543) hereinafter 
Smith. 

37. With respect to claim 6 and 15, Toh and Medvinsky don't disclose the secure 
connection comprises a Secure Sockets Layer encryption only connection. However, 
Smith teaches secure methods comprising key-escrow encapsulated within an 
application program interface ("API") such as a Secure Socket Layer, col. 10, lines 50- 
53. It would have been obvious at the time the invention was made to a person having 
ordinary skill in the art to modify Toh and Medvinsky with SSL of Smith to provide a 
secure channel between client and server. 

38. With respect to claims 1 1 and 26, Smith discloses the authenticated server 
comprises a system monitoring server (a corresponding message is transmitted to 
monitor node 674, as shown by step 1022, col. 22, lines 12-13) and the client comprises 
a resource monitoring agent (the installation server has verified that the agent module is 
installed on the proper target site, col. 22, lines 16-17). It would have been obvious at 
the time the invention was made to a person having ordinary skill in the art to modify 
Toh and Medvinsky with monitoring capability of Smith to detect and prevent 
unauthorized access to the system. 

Conclusion 

THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time 
policy as set forth in 37 CFR 1 .136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
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TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1 .136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the mailing date of this final action. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to SHAHROUZ YOUSEFI whose telephone number is 
(571 ) 270-3558. The examiner can normally be reached on Monday-Friday 9:00- 
5:00pm. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Gilberto Barron can be reached on 571-272-3799. The fax phone number 
for the organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 

IS. YV 

Examiner, Art Unit 2432 
/Gilberto Barron Jr./ 

Supervisory Patent Examiner, Art Unit 2432 



